alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS MediaWiki thumb.php RCE"; flow:to_server,established; pcre:"/[&?](?:(?:p|%[57]0)(?:(?:a|%[46]1)(?:g|%[46]7)(?:e|%[46]5))?|(?:w|%[57]7)(?:(?:i|%[46]9)(?:d|%[64]4)(?:t|%[57]4)(?:h|%[64]8))?)(?:\s|%20)*?(?:%3d|=)(?:\s|%20)*?(?:\d|%3[0-9])+?(?:\x3b|%3[bB]|%26)/Ii"; http.uri; content:"/thumb.php?"; nocase; pcre:"/[&?](?:w(?:idth)|p(?:age))=\d+\s*?[\x3b&]/i"; pcre:"/[&?]f=/i"; reference:url,github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/mediawiki_thumb.rb; reference:cve,2014-1610; classtype:attempted-admin; sid:2018168; rev:3; metadata:created_at 2014_02_22, cve CVE_2014_1610, signature_severity Major, updated_at 2020_04_28;)